Class 8Introduction to Anonymity

CIS 755: Advanced Computer SecuritySpring 2015

Eugene Vasserman

http://www.cis.ksu.edu/~eyv/CIS755_S15/

Administrative stuff

• Monday office hours moved to 2:30– Will be 2:30 – 4

• How was your break?

• Quiz graded– Discussion

Anonymity Concepts

• Privacy– Confidentiality

• Anonymity/Pseudonymity– Unobservability– Unlinkability

Properties of eCash

• Unforgeability

• Non-reusability

• Anonymity– Untraceability– Unlinkability

Dining Cryptographers

• Three people toss coins: heads=1, tails=0• Menus hide right-hand coin• XOR your coin flip result and left

neighbor’s result• Report value to everyone• Report opposite value to send a single bit• If the sum is odd, someone sent a message

Dining Cryptographers II

• Slow• Error-prone• Needs tamper detection• Does not scale• Provides unobservability

Unobservability

• k-anonymity (scalable dining cryptographers)– Must be implemented very carefully

• Link padding– Inefficient– Cover traffic knowledge

Unlinkability

• Sender X Receiver(Sender can’t identify receiver)

• Sender X Receiver(Receiver can’t identify sender)

• Sender X Receiver(Neither knows who the other is)

– How do we handle authentication?

• Unobservability implies unlinkability (?)

For Bob For Bob from Alicefrom AliceFor Carol For Carol from Alicefrom AliceFor David For David from Alicefrom Alice

Onion Encryption

Source routing with capabilities

B, dataS3S2S1 B

S3

S2

S1

A

Message for BobWrapping for CarolWrapping for Doug

Onion Encryption IIBob

Alice

Wrapping for Edward

Edward

Doug

Carol

Chaum MixesBob

Alice

Output in lexographic order

Global AdversaryBob

Alice

Chaum Mix CascadeBob

Alice

Anonymous Reply

• Address for replies:

• Reply:

• Mix0 decrypts N,A; sends:

• Mix decrypting reply does not know destination• Mix encrypting reply does not know source

Mixminion

A

B

C

D

E Bob

A,B,C,D,E

Alice

Bob

Problems with Mixminon

• Centralized entities required– Availability failure– Anonymity failure (how?)

• Malicious nodes:– Control entry and exit– Unlikely

Anonymous Email

• High-latency• Low-throughput• Provides unlinkability

– Have to be careful about authentication

• No default end-to-end confidentiality (PGP)– Actually, there is for replies

• Secure against global adversary

Anonymous Web Browsing

• Low-latency• Medium-throughput• Server does not know client• Provides sender unlinkability

– Have to be careful about authentication

• No default end-to-end confidentiality (SSL)• NOT secure against global adversary

Tor

A

B

C

TCP over TCP (UGH!)

Anonymous Web Services

• Web service does not know client• Client does not know web service• Provides sender and receiver unlinkability

• Rendezvous

Tor Hidden Services

A

B

C

D

E

F

Problems with Tor

• Global adversary– What are the possible attacks?– Long term intersection– Defined as NOT HANDLED by Tor– Functional vs. actual?

• Packet counting

• Packet sampling

Problems with Tor

• “Centralized” entities required– Availability failure– Anonymity failure (how?)

• Malicious nodes:– Control entry and exit

• Hopefully unlikely – entry guards

• Preferential attraction of clients– Eureka! We can lie!

Problems with Tor II

• Information leakage from software– Web browser language– System time– How else?

• Malicious attacks on software– How?

Problems with Tor III

• Information leakage from design:– Latency (Hopper et al.)

• Unlinkability failure:– Latency (Hopper et al.)

• See a pattern?• Prevention?

Global AdversaryBob

Alice

Mix serverMix

server

Global Adversary vs. TorBob

Alice

Entire Tor

network

Entire Tor

network

Problems with Tor

• Preferential attraction of clients– Eureka! We can lie!

• Information leakage from software• Information leakage and linkability failure

from latency (Hopper et al.)• Malicious nodes

– Control entry and exit• Hopefully unlikely – entry guards

Tor Network Positioning Attack

A

B

C

M

Tor Linkability Attack

A

B

C

Tor Selective DoS Attack

A

B

C

Tor reliability

• RDoS = (1-t)2 + (tf)3

(1-t)2 dominates

A defense – entry guards

Useful, but ≤ 3 guards may decrease resilience

Othermixes

Questions?

Reading discussion